core(csp-xss): csp evaluator npm module

lighthouse-core/lib/csp-evaluator.js

@@ -5,25 +5,19 @@
  */
 'use strict';
 
-/**
- * @typedef Finding
- * @property {number} type
- * @property {string} description
- * @property {number} severity Severity value 0-100 where 0 is the most severe.
- * @property {string} directive The directive the finding applies to.
- * @property {string|undefined} value Keyword if the finding applies to one.
- */
+/** @typedef {import('csp_evaluator/finding').Finding} Finding */
 
-const log = require('lighthouse-logger');
-const i18n = require('../lib/i18n/i18n.js');
 const {
-  Parser,
-  Type,
-  Directive,
   evaluateForFailure,
   evaluateForSyntaxErrors,
   evaluateForWarnings,
-} = require('../../third-party/csp-evaluator/optimized_binary.js');
+} = require('csp_evaluator/dist/lighthouse/lighthouse_checks.js');
+const {Type} = require('csp_evaluator/dist/finding.js');
+const {CspParser} = require('csp_evaluator/dist/parser.js');
+const {Directive} = require('csp_evaluator/dist/csp.js');
+
+const log = require('lighthouse-logger');
+const i18n = require('../lib/i18n/i18n.js');
 
 const UIStrings = {
   /** Message shown when a CSP does not have a base-uri directive. Shown in a table with a list of other CSP vulnerabilities and suggestions. "CSP" stands for "Content Security Policy". "base-uri", "'none'", and "'self'" do not need to be translated. */
@@ -146,7 +140,7 @@ function getTranslatedDescription(finding) {
  * @return {Finding[]}
  */
 function evaluateRawCspForFailures(rawCsps) {
-  return evaluateForFailure(rawCsps.map(c => new Parser(c).csp));
+  return evaluateForFailure(rawCsps.map(c => new CspParser(c).csp));
 }
 
 /**
@@ -156,15 +150,15 @@ function evaluateRawCspForFailures(rawCsps) {
  * @return {Finding[]}
  */
 function evaluateRawCspForWarnings(rawCsps) {
-  return evaluateForWarnings(rawCsps.map(c => new Parser(c).csp));
+  return evaluateForWarnings(rawCsps.map(c => new CspParser(c).csp));
 }
 
 /**
  * @param {string[]} rawCsps
  * @return {Finding[][]} Entries are a list of findings corresponding to the CSP at the same index in `rawCsps`.
  */
 function evaluateRawCspForSyntax(rawCsps) {
-  return evaluateForSyntaxErrors(rawCsps.map(c => new Parser(c).csp));
+  return evaluateForSyntaxErrors(rawCsps.map(c => new CspParser(c).csp));
 }
 
 module.exports = {

lighthouse-core/test/lib/csp-evaluator-test.js

@@ -6,7 +6,6 @@
 'use strict';
 
 const {isIcuMessage} = require('../../lib/i18n/i18n.js');
-const {Type} = require('../../../third-party/csp-evaluator/optimized_binary.js');
 const {
   evaluateRawCspForFailures,
   getTranslatedDescription,
@@ -16,63 +15,6 @@ const {
 
 /* eslint-env jest */
 
-describe('Evaluator compatibility', () => {
-  it('finding types', () => {
-    expect(Type).toMatchInlineSnapshot(`
-      Object {
-        "100": "MISSING_SEMICOLON",
-        "101": "UNKNOWN_DIRECTIVE",
-        "102": "INVALID_KEYWORD",
-        "106": "NONCE_CHARSET",
-        "300": "MISSING_DIRECTIVES",
-        "301": "SCRIPT_UNSAFE_INLINE",
-        "302": "SCRIPT_UNSAFE_EVAL",
-        "303": "PLAIN_URL_SCHEMES",
-        "304": "PLAIN_WILDCARD",
-        "305": "SCRIPT_ALLOWLIST_BYPASS",
-        "306": "OBJECT_ALLOWLIST_BYPASS",
-        "307": "NONCE_LENGTH",
-        "308": "IP_SOURCE",
-        "309": "DEPRECATED_DIRECTIVE",
-        "310": "SRC_HTTP",
-        "400": "STRICT_DYNAMIC",
-        "401": "STRICT_DYNAMIC_NOT_STANDALONE",
-        "402": "NONCE_HASH",
-        "403": "UNSAFE_INLINE_FALLBACK",
-        "404": "ALLOWLIST_FALLBACK",
-        "405": "IGNORED",
-        "500": "REQUIRE_TRUSTED_TYPES_FOR_SCRIPTS",
-        "600": "REPORTING_DESTINATION_MISSING",
-        "601": "REPORT_TO_ONLY",
-        "ALLOWLIST_FALLBACK": 404,
-        "DEPRECATED_DIRECTIVE": 309,
-        "IGNORED": 405,
-        "INVALID_KEYWORD": 102,
-        "IP_SOURCE": 308,
-        "MISSING_DIRECTIVES": 300,
-        "MISSING_SEMICOLON": 100,
-        "NONCE_CHARSET": 106,
-        "NONCE_HASH": 402,
-        "NONCE_LENGTH": 307,
-        "OBJECT_ALLOWLIST_BYPASS": 306,
-        "PLAIN_URL_SCHEMES": 303,
-        "PLAIN_WILDCARD": 304,
-        "REPORTING_DESTINATION_MISSING": 600,
-        "REPORT_TO_ONLY": 601,
-        "REQUIRE_TRUSTED_TYPES_FOR_SCRIPTS": 500,
-        "SCRIPT_ALLOWLIST_BYPASS": 305,
-        "SCRIPT_UNSAFE_EVAL": 302,
-        "SCRIPT_UNSAFE_INLINE": 301,
-        "SRC_HTTP": 310,
-        "STRICT_DYNAMIC": 400,
-        "STRICT_DYNAMIC_NOT_STANDALONE": 401,
-        "UNKNOWN_DIRECTIVE": 101,
-        "UNSAFE_INLINE_FALLBACK": 403,
-      }
-    `);
-  });
-});
-
 describe('getTranslatedDescription', () => {
   it('missing script-src', () => {
     const rawCsp = `object-src 'none'`;

package.json

@@ -161,6 +161,7 @@
     "axe-core": "4.1.2",
     "chrome-launcher": "^0.13.4",
     "configstore": "^5.0.1",
+    "csp_evaluator": "^1.0.1",
     "cssstyle": "1.2.1",
     "details-element-polyfill": "^2.4.0",
     "http-link-header": "^0.8.0",